Last Week in Security - 2024-10-15

We're Hiring!

Immediate Open Positions:

Maryland Applicants:

• We have openings for a Cryptologic Computer Scientist, Cyber Operator Developer Analyst, Ethical Hacker, Information Assurance Specialist, Information Systems Security Officer, Jr. Offensive Cyber Operator, Red/Blue Team Engineer, Senior Web Application Penetration Tester, Systems Engineer, Data Scientist, HPC Software Engineer, Information Systems Security Engineer, and Reverse Engineer.

Virginia Applicants:

• Available opportunities: DevSecOps Engineer and Red Team Operator - Senior.

For more open positions visit: https://www.sixgen.io/careers

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools, and exploits from the past week. This post covers 2024-10-07 to 2024-10-14.

News

• Hacked ‘AI Girlfriend’ Data Shows Prompts Describing Child Sexual Abuse - A hacker targeted the AI companion site Muah.ai and stole a database of users' interactions with their chatbots, revealing users' sexual fantasies, including scenarios of child sexual abuse. The hacker discovered vulnerabilities in the website and reported the findings to 404 Media. The data includes chatbot prompts linked to personal email addresses. The breach exposes disturbing content and raises serious privacy concerns.

• European govt air-gapped systems breached using custom malware - European government air-gapped systems were breached using custom malware by the APT hacking group GoldenJackal.

• The Disappearance of an Internet Domain - This article discusses the potential impact of the transfer of sovereignty of the Chagos Islands to Mauritius on the .io domain suffix. It explains how geopolitical changes can disrupt the digital world and provides historical examples of similar situations with domains like .su and .yu. The fate of the .io domain remains uncertain, but the article suggests that it could either be taken over by Mauritius or phased out according to IANA rules.

• Patch Tuesday, October 2024 Edition - In the Patch Tuesday edition for October 2024, Microsoft released security updates for 117 security holes, including two vulnerabilities being actively attacked. One of the vulnerabilities is in MSHTML, the engine of Internet Explorer, posing a risk to older systems. Another serious zero-day flaw was found in Microsoft Management Console. Adobe also released security updates for 52 vulnerabilities.

• Internet Archive hacked, data breach impacts 31 million users - The Internet Archive was hacked, leading to a data breach where 31 million user records were compromised.

• Hacked Robot Vacuums Across the U.S. Started Yelling Slurs - Robot vacuums made by Ecovacs were hacked, leading to them yelling racist slurs at owners across the U.S. Owners reported hearing profanities coming from the vacuums' speakers after a vulnerability in the company's software was exploited. Despite the alarming situation, some owners found humor in the situation and suggested it could have been worse. The incident highlights the lack of security measures in smart home devices and the potential risks of remote access by hackers.

• Burning Zero Days: Suspected Nation-State Adversary Targets Ivanti CSA - FortiGuard Labs has identified a case where an advanced adversary exploited three vulnerabilities in the Ivanti Cloud Services Appliance (CSA), two of which were previously unknown. The threat actor used zero-day vulnerabilities to gain initial access to the victim's network, and FortiGuard Incident Response (FGIR) services were engaged to investigate the incident. The threat actor exploited path traversal and command injection vulnerabilities to gain access to user information, credentials, and create rogue users. The threat actor also deployed a rootkit on the CSA appliance for kernel-level persistence. Fortinet has released IPS signatures to protect customers from these threats.

• Influence and cyber operations: an update (PDF) - The October 2024 report from OpenAI provides an update on influence and cyber operations, detailing current tactics, trends, and threat actors engaged in cyber influence campaigns. It highlights the use of social media manipulation, misinformation, and sophisticated cyber tactics employed by state-sponsored groups and independent actors to shape public perception and disrupt democratic institutions. The report underscores the growing integration of influence operations with traditional cyberattacks, making mitigation more challenging for governments and organizations.

Techniques and Write-ups

• Run Command Abuse - The article discusses the abuse of the Azure Run Command feature in Azure, which allows administrators to run scripts on Windows and Linux virtual machines. It explains how a script can be used to create a backdoor user on a Windows host and demonstrates the process of running the script through the Azure Portal. The article also provides information on auditing and alerting on Run Commands being used within a tenant.

• Whispers in the Code: Inter Process Communication (IPC) and Named Pipes For Covert C2 - Inter-Process Communication (IPC) is essential for processes to communicate within an operating system, sharing data and coordinating actions. Windows provides various IPC mechanisms like Pipes, Shared Memory, Message Queues, RPC, and the clipboard. These mechanisms serve different purposes based on performance, data transfer, and synchronization requirements. Named pipes can also be used for covert Command and Control (C2) communication, where attackers can use pipes to communicate stealthily between processes. Defenders can detect covert C2 communication through monitoring named pipe creation and usage, as well as analyzing suspicious activity within processes.

• Axis Camera APP takeover - r-tec recently analyzed an Axis IP Camera model F9111 in a penetration test for a customer, attempting to take over the operating system via a malicious app. The initial attempt failed, but they found an alternative method using a different app. They recommend securing management interfaces, using strong passwords, and not exposing the web interface to the internet to prevent similar attacks.

• Docker Zombie Layers: Why Deleted Layers Can Still Haunt You - Unreferenced Docker Zombie Layers, also known as zombie layers, can persist in registries even after being removed from a manifest, potentially exposing sensitive information. These layers can pose a security risk if they contain secrets and are continuously monitored by threat actors. AWS ECR's tag immutability feature allows layers to be pushed before manifest rejection, leading to the creation of zombie layers. It is crucial to revoke exposed secrets immediately and monitor for potential risks to protect assets and prevent attackers from exploiting infrastructure.

• Can You Get Root With Only a Cigarette Lighter? - The article discusses using hardware fault injection, specifically through electromagnetic interference, to exploit vulnerabilities in hardware and software. The author demonstrates how a simple setup with a cigarette lighter can induce memory errors in a laptop, leading to privilege escalation exploits in CPython and Linux. The exploit involves manipulating page tables and TLB to gain full read/write access to physical memory, ultimately achieving root access. The author also hints at potential applications of this exploit in gaming anti-cheat software and mobile devices, and expresses curiosity about further research and development in this area.

• SaladCat Revisited: Pricing Update - SaladCat has updated their pricing for their GPU offerings, moving to a spot-style "priority" system where users can pay less to rent a GPU but run the risk of having their workload bumped off by someone paying more. The pricing update shows that older GPUs like the 1650 Super and 1080ti are still competitive with newer GPUs like the 4090 in terms of hashes/dollar. The 4090 remains an excellent value at the lowest "Batch" priority, but availability may be limited due to high demand. The 3060ti also performs surprisingly well for bcrypt hashing on Salad Cloud.

• Exploiting Microsoft Teams on macOS during a Purple Team engagement - During a Purple Team engagement, Quarkslab identified a vulnerability in Microsoft Teams on macOS that allowed access to a user's camera and microphone. Through a static and dynamic analysis, they exploited the vulnerability to capture video and sound streams. The vulnerability was reported to Microsoft Security Response Center (MSRC), and after confirmation and fix, Quarkslab published their findings in a blog post. The exploit showcased how attackers could access and manipulate user data on macOS through this vulnerability.

• Exploiting AMD atdcm64a.sys arbitrary pointer dereference – Part 3 - HN Security successfully confirmed vulnerabilities in the kernel driver, allowing them to leak the base address of ntoskrnl.exe and hijack execution flow to an arbitrary location. They crafted an exploit to enable all privileges on Windows by finding specific gadgets and crafting a Return-Oriented Programming (ROP) chain. The final part of the exploit involved restoring the PML4 entry value and the original stack pointer. This allowed them to launch a shell with all privileges enabled. The exploit code is available on GitHub, and credits were given to contributors and researchers.

• Grav-ity of the situation: Unauthenticated Access to RCE in Grav CMS - In this blog post, the author explores critical security vulnerabilities discovered in the Grav CMS. The vulnerabilities allow an unauthenticated attacker to escalate privileges and execute code on the server. The author details their research process, which led to the discovery of these vulnerabilities, and explains the mechanisms and potential impact of each. The attack chain begins with unauthenticated access, leading to an administrator user through various vulnerabilities such as password reset poisoning, file upload path traversal, and server-side template injection. The vulnerabilities were responsibly disclosed and fixed by the Grav maintainers, highlighting the importance of security best practices when deploying Grav with the Administrator plugin.

• MMS Under the Microscope: Examining the Security of a Power Automation Standard - Team82 conducted research on the security of the MMS protocol, widely used in power substations for communication. They discovered five vulnerabilities in MMS implementations that could lead to device crashes or remote code execution. They developed a tool called MMS Stack Detector to identify specific implementations based on observed MMS payloads. The vulnerabilities were disclosed to the vendors and remediated. Additionally, they found issues in other implementations through fuzzing and responsibly disclosed them, highlighting the need for continued efforts in securing industrial control systems.

• Ivanti Connect Secure - Authenticated RCE via OpenSSL CRLF Injection (CVE-2024-37404) - Ivanti Connect Secure versions prior to 22.7R2.1 and 22.7R2.2, and Ivanti Policy Secure versions prior to 22.7R1.1 contain a CRLF injection vulnerability that allows an authenticated administrator to execute arbitrary code on the underlying system. The vulnerability was reported in 2024 and a patch was developed by Ivanti but exploitation in the wild has not been confirmed. To mitigate this issue, users should update to the recommended versions and follow the guidance provided by Ivanti to secure their administrative interfaces.

• Reversing Tips: (Almost) Automatically renaming functions with Ghidra - The article discusses a practical example of automatically renaming functions in a binary file using Ghidra scripting. It demonstrates how to leverage debug logging functionality to extract function names and rename them accordingly. The process involves identifying the logging functionality, creating a script in Ghidra, resolving arguments, and renaming functions with candidates. The script aims to simplify the reverse engineering process by automating the renaming of functions in closed-source binaries.

• Palo Alto Expedition: From N-Day to Full Compromise - NodeZero, a platform by Horizon3.ai, offers features like AD Password Audit and Phishing Impact Testing. It is used by ITOps and SecOps teams, as well as MSSPs and MSPs. NodeZero Tripwires help in detecting threats accurately and quickly. The platform also assists in pentesting and cloud security. The blog discusses a vulnerability in Palo Alto Networks Expedition application, including command injection and SQL injection issues, and how NodeZero can help in identifying and addressing such vulnerabilities.

• Give Me the Green Light Part 3: Traffic Controller Surgeon - This blog post covers the process of acquiring and setting up a traffic controller for a lab. It provides information on where to find hardware, how to power it on, and how to configure the web interface. The post also includes details on troubleshooting issues with powering the controllers, as well as instructions for configuring the web interfaces. The post emphasizes the importance of finding controllers with ethernet ports and offers tips on sourcing controllers from eBay or government surplus websites.

• ShadowLogic: Backdoors in Computational Graphs - HiddenLayer Research has discovered a novel method called 'ShadowLogic' for creating backdoors in neural network models, allowing attackers to manipulate a model's computational graph and implant surreptitious backdoors that persist through fine-tuning. This technique poses a high-impact AI supply chain risk. The attack works by overriding the model's logic to produce attacker-defined outcomes, activated by specific triggers. This backdoor technique is format-agnostic and can be applied to various AI models, posing a significant threat to the integrity and trustworthiness of AI systems across different domains. HiddenLayer offers a security platform to protect AI models from such vulnerabilities without adding complexity.

• Bypass Apache Superset restrictions to perform SQL injections - A security audit of Apache Superset revealed bypasses in the security measures implemented, allowing for SQL injections. By analyzing interactions with the API, the audit team found ways to control SQL queries executed by the DBMS. The vulnerabilities were reported to the Apache Superset security team, who acknowledged the issues and worked on deploying patches to address them in the next version release.

• Beyond the good ol' LaunchAgents - 34 - launchd embedded plist - The blog post discusses techniques for persistence on macOS beyond LaunchAgents, specifically focusing on launchd boot tasks. These boot tasks are defined in the launchd configuration file, which can be accessed and manipulated to persist malicious activities. The post outlines the different types of boot tasks and the privileges required to utilize them effectively, including SIP bypass exploits and TCC permissions. In summary, the post provides insights into lesser-known persistence techniques on macOS using launchd boot tasks.

• Aw, Sugar. Critical Vulnerabilities in SugarWOD - The blog post discusses critical vulnerabilities in the software platform SugarWOD, but the content is password protected. The post includes information on bypassing parental controls on Amazon Kids+, exploiting NTLMv1, and dumping usernames from Cisco Unified Call Manager. The blog is written by n00py and was last updated in October 2024.

• Perfecting Ransomware on AWS — Using keys to the kingdom to change the locks - The article discusses how ransomware attacks on compromised AWS accounts have evolved with the introduction of AWS KMS XKS, allowing attackers to leverage external key stores to encrypt and hold data for ransom. The author outlines a step-by-step process for simulating ransomware attacks on AWS environments using the XKS feature, demonstrating how attackers can encrypt data in S3 buckets and EBS volumes with attacker-controlled KMS keys. The article emphasizes the importance of implementing security controls, such as Service Control Policies (SCP), to prevent unauthorized access to KMS APIs and defend against such attacks.

• Downgrade attack: a story as old as Windows… - The blog post discusses a downgrade attack on Windows systems, where an attacker can replace secure binaries with older versions to exploit vulnerabilities. The author explains the challenge of preventing rollback attacks and introduces the concept of a "root of trust" using TPM. They then discuss implementing WDAC policies to prevent rollback attacks and ensure system security. The author also shares insights on debugging the system to identify vulnerabilities and protect against attacks.

• 1 bug, $50,000+ in bounties, how Zendesk intentionally left a backdoor in hundreds of Fortune 500 companies - A 15-year-old bug hunter found a vulnerability in Zendesk that allowed attackers to read customer support tickets from any company. Zendesk initially dismissed the bug report, stating it was out of scope for their bug bounty program. The bug allowed for email spoofing that could lead to unauthorized access to support tickets. After pressure from affected companies, Zendesk finally fixed the issue, but did not pay the bug hunter a bounty due to alleged disclosure guideline violations. The bug hunter earned over $50,000 in bounties from individual companies affected by the vulnerability.

• Obfuscating a Mimikatz Downloader to Evade Defender (2024) - The article demonstrates how to obfuscate a Mimikatz downloader in order to evade detection by Defender. The process involves using tools like BetterSafetyKatz, InvisibilityCloak, and DefenderCheck to identify and modify code elements that trigger Defender's detection. By renaming variables, functions, and strings, as well as moving the executable to Program Files, the author is able to successfully run the obfuscated program without triggering Defender. The article emphasizes the need for ongoing experimentation and adaptation due to the constantly evolving nature of cybersecurity defenses.

• Indirect Waffles - Shellcode Loader to Bypass EDRs - Indirect Waffles is a custom shellcode loader designed to bypass EDR detection using advanced techniques such as indirect syscalls and APC injection. The blog post provides a detailed overview of the loader's features, including process creation, DLL injection policy blocking, and remote mapped injection. The author plans to create a smaller DLL payload loader in the future. The post also includes information on spoofing binary metadata to make malware less suspicious and additional resources on shellcode encryption and obfuscation.

• The Sweet16 – the oldbin lolbin called setup16.exe - The Sweet16 is an old binary executable file called setup16.exe that is still present in Windows 10 and 11. By analyzing the code of setup16.exe, users can create a custom LST config file to execute programs or commands. The program accepts command line arguments like -m and -QT to specify alternative LST files and run the program in quiet mode. However, there are quirks and limitations with the program, such as the way it appends 'LST' to file names and the requirement of admin rights to run it.

• Bypass Azure Admin Approval Mode for User Consent Workflow When Enumerating - In this blog post, Peter Gabaldon discusses a technique to bypass Azure Admin Approval Mode for User Consent Workflow when enumerating an Azure environment. By leveraging default Microsoft applications with certain permissions granted, such as SharePoint Online Web Client Extensibility, users can request permission from an administrator, get a token with desired scopes, and continue with enumeration tasks. The post includes an example request and response for issuing a token and connecting to Microsoft Graph to take advantage of the permissions. The post is licensed under CC BY 4.0 by the author.

Tools and Exploits

• Initial PR of ADCS ESC15 - This is a GitHub pull request related to an attack called ESC15 (EKUwu). The attack exploits a vulnerability in Certificate Templates in Windows ADCS. The PR includes details about the attack, how it was discovered, and the reasons for publishing the code.

• KrbRelay-SMBServer - GitHub - decoder-it/KrbRelay-SMBServer is a tool that acts as an SMB server to relay Kerberos AP-REQ to CIFS or HTTP. It is based on @cube0x0's KrbRelay and uses a trick by James Forshaw to control the SPN for relaying. Users can perform secure DNS updates to create DNS entries for relaying. The tool allows for relaying DC SMB authentication to HTTP web enrollment and requesting client certificates.

• Hacking Windows through iTunes  - Local Privilege Escalation 0-day - This GitHub repository contains information about a local privilege escalation exploit in iTunes version 12.13.2.3, which was patched by Apple on September 12, 2024. The vulnerability allows members of the Local Group "Users" to gain arbitrary code execution on the system with SYSTEM privileges. The exploit involves manipulating file permissions within the Apple Mobile Device Service installed by iTunes, creating a folder/file deletion primitive, and using NTFS junctions to direct file deletions. Proof of concept steps are provided to demonstrate the exploit in action.

• cred1py - The GitHub repository SpecterOps/cred1py contains a Python proof of concept for exploiting CRED1 over a SOCKS5 connection with UDP support. The tool is used to perform a specific attack flow involving sending a DHCP request for a PXE image and retrieving crypto keys to decrypt a variables file. Cred1Py works by sending DHCP requests, downloading the first 512 bytes of the variables file, and outputting a crypto key or hashcat hash. It requires an implant with SOCKS5 enabled and the ability to make an SMB connection to a distribution server.

• WhoYouCalling - GitHub repository called "WhoYouCalling" records an executable's network activity into a Full Packet Capture file (.pcap) along with other features. It allows for monitoring network activity made by a process through Windows Event Tracing (ETW) and Full Packet Capture (FPC), as well as filtering the generated .pcap file based on the detected network activity. The tool can automate monitoring of processes, export results to JSON, and generate Wireshark and BPF filters.

• noldr - The GitHub repository Teach2Breach/noldr provides a Rust library for dynamically resolving API function addresses at runtime in a secure manner. It offers tools for working with Windows Portable Executable (PE) files and dynamic-link libraries (DLLs) without importing Windows API crates. The library was designed for a specific use case, such as hiding API calls and reducing dependencies in a DLL.

• Netexec adds NFS support - NetExec is a tool that allows for enumeration of various network services and systems. It provides functionality for scanning vulnerabilities, enumerating users and groups, checking credentials, executing remote commands, and more. One of its new features is the ability to enumerate NFS servers and shares, allowing users to detect remote NFS servers, list shares, and access files on those shares. The tool can also enumerate files and folders on NFS shares recursively, providing information such as permissions, file size, and access lists.

• Ruby-SAML / GitLab Authentication Bypass (CVE-2024-45409) exploit - This GitHub repository contains an exploit for a Ruby-SAML / GitLab Authentication Bypass vulnerability (CVE-2024-45409). The exploit allows an unauthenticated attacker with access to a signed SAML document to forge a SAML Response/Assertion and access GitLab as any user. Various versions of GitLab (CE/EE) are vulnerable, and the exploit involves modifying the XML content of the SAML response to gain unauthorized access. The exploit script provided in the repository demonstrates how to intercept and modify the SAML response to successfully authenticate and gain access to GitLab.

• CVE-2024-9464: Palo Alto Expedition Authenticated Command Injection - This is a proof of concept exploit for CVE-2024-9464, a vulnerability that allows for authenticated command injection on vulnerable Palo Alto Expedition devices. The script exploits the vulnerability by chaining the admin reset of another CVE to achieve arbitrary command execution.

• Not Your Grandfather’s Empire - Empire, an offensive security tool, has evolved significantly from its early days as a PowerShell-centric framework. With the introduction of features like the teamserver, support for C# and IronPython agents, Beacon Object Files (BOFs), and plugins, Empire has become a versatile platform capable of advanced tactics and bypassing security defenses. The upcoming Empire 6 release will include a non-.NET-based agent for Windows, built in Go, to further expand its capabilities. Empire continues to push the boundaries of post-exploitation frameworks and offers training opportunities for those looking to leverage its features.

• CSPTPlayground - CSPTPlayground is an open-source playground designed to find and exploit Client-Side Path Traversal (CSPT) vulnerabilities. The platform allows users to experiment with exploits such as CSPT2CSRF and CSPT2XSS, showcasing the potential risks and consequences of CSPT. The project welcomes contributions from developers, researchers, designers, and bug hunters to help improve the application and make it a stronger tool for the community.

• metasploit-framework - Add Support for ESC15 - This pull request on the Metasploit Framework adds support for ESC15 to various AD CS related modules. It includes a template for creating and updating vulnerable templates, fingerprinting to identify vulnerable templates, and the ability to specify OIDs for exploiting vulnerable templates. The changes also include testing for the issued certificate authentication and updating documentation for exploiting ESC15. Additionally, the pull request includes workflow documentation and support for finding ESC15 vulnerabilities.

• dll-proxy-generator - The GitHub repository "dll-proxy-generator" allows users to generate a proxy DLL for any DLL, while also loading a user-defined secondary DLL. Users can use the provided executable file with various options to generate the proxy DLL. The repository also provides information on how to use the tool, including command line options and parameters.

Threat Intel and Defense

• My Methodology to AWS Detection Engineering (Part 3 - Variable Scoring) - The blog series discusses the author's methodology for threat detection engineering in AWS, focusing on variable scoring in Part 3. Variable scoring is compared to adjusting a thermostat, with the base score being the default setting and adjustments made based on contextual factors. Examples of modifiers for variable scoring are provided, such as TI watchlist matches, Tier 0 resources, and user agents of interest. The author emphasizes the importance of understanding cloud-specific IOCs and maintaining a balance between tuning out noise and implementing smart modifiers.

• Awaken Likho is awake: new techniques of an APT group - Awaken Likho, an APT group, launched a campaign targeting Russian government agencies and industrial enterprises, using new tools and techniques. They have switched from using UltraVNC to MeshCentral for remote access. The attackers distribute their implant through phishing emails, showing a shift in their methods. The group remains active, with recent implants dated August 2024, and is still successfully infiltrating their selected targets' infrastructure.

• Mind the (air) gap: GoldenJackal gooses government guardrails - ESET Research has analyzed two separate toolsets used by a cyberespionage threat actor known as GoldenJackal to breach air-gapped systems. GoldenJackal targeted a governmental organization in Europe between May 2022 and March 2024, using custom tools to compromise and persist in targeted networks for espionage purposes. The group has been active since at least 2019, targeting government and diplomatic entities in Europe, the Middle East, and South Asia. The toolsets used by GoldenJackal provide a wide set of capabilities for stealing confidential information, especially from high-profile machines not connected to the internet.

• Pronsis Loader: A JPHP-Driven Malware Diverging from D3F@ck Loader - Trustwave's Threat Intelligence team has discovered a new malware called Pronsis Loader, which uses JPHP and diverges from D3F@ck Loader. The loader delivers different malware variants, including Lumma Stealer. Pronsis Loader does not use SSL certificates, making it easier to detect in environments that check for certificate-based security. The malware establishes persistence on systems and includes a module for defense evasion. Lumma Stealer, a predominant payload associated with Pronsis Loader files, operates under a model and has been active in the wild since 2022.

• Not All Fun and Games: Lua Malware Targets Educational Sector and Student Gaming Engines - A recent webinar discussed building adaptive cyber resilient cloud solutions, with a focus on Morphisec for managed services and endpoint protection. The webinar also highlighted the threat of Lua malware targeting the educational sector and student gaming engines, with details on delivery methods and obfuscation techniques used by attackers.

• Protecting Large Language Models - The blog discusses the potential risks associated with "Large-Language Models" (LLMs), such as misinformation, bias, and invasions of privacy. It highlights the need for responsible development and deployment of LLMs to mitigate these risks and uphold ethical standards.

• Operation MiddleFloor: Disinformation campaign targets Moldova ahead of presidential elections and EU membership referendum - Check Point Research has identified an ongoing cyber-enabled disinformation campaign, known as Operation MiddleFloor, targeting Moldova ahead of the upcoming elections and EU membership referendum. The attackers, identified as Lying Pigeon, aim to influence public opinion against EU membership and the current pro-European leadership in Moldova. The campaign primarily uses email communications to distribute fake documents and gather victim data for potential targeted attacks. Check Point Research has linked Lying Pigeon to previous disinformation activities in Spain and Poland, indicating a persistent threat to European democratic processes.

• Contagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and InvisibleFerret Malware - Unit 42 has identified a campaign by DPRK threat actors posing as fake recruiters to install malware on tech industry job seekers' devices, referred to as the CL-STA-240 Contagious Interview campaign. The malware associated with this campaign includes the BeaverTail downloader and the InvisibleFerret backdoor, with new variants compiled using the Qt framework and targeting both macOS and Windows platforms. The malware steals data, including browser passwords and cryptocurrency wallets, and deploys the InvisibleFerret backdoor for remote control and exfiltration of sensitive information.

• File hosting services misused for identity phishing - File hosting services like SharePoint, OneDrive, and Dropbox are being misused by threat actors for identity phishing attacks. These attacks involve sophisticated techniques like files with restricted access and view-only restrictions to evade detection and compromise identities and devices, leading to business email compromise attacks. Microsoft takes action against malicious users and recommends using multi-factor authentication and passwordless sign-in to protect against these threats. Mitigation strategies and detection details are provided to help organizations safeguard against these sophisticated phishing campaigns. The attacks have been trending, with files being delivered through email attachments like PDFs, OneNote, and Word files, often creating a sense of urgency to trick recipients into clicking malicious links.

• Why Code Security Matters - Even in Hardened Environments - Code security is crucial even in hardened environments because determined attackers can exploit vulnerabilities in the source code. Sonar offers AI Code Assurance and CodeFix to ensure high-quality code generated by AI assistants. By integrating code security with NIST guidelines, Sonar helps reduce technical debt, maximize innovation, and improve code quality in DevOps environments. The blog post demonstrates how attackers can exploit a file write vulnerability in a Node.js application to achieve remote code execution, highlighting the importance of fundamental code security measures.

• Measuring Detection Coverage - The article discusses the importance of measuring detection coverage in the context of Purple Teaming and Detection Engineering. It highlights the lack of standardization, models, and metrics in the industry, as well as the challenges organizations face in prioritizing detection resilience. The development of detection rules, collaboration with different teams, and the use of frameworks like ATT&CK are key aspects of building efficient detection capabilities. Additionally, the article emphasizes the need for a unified approach among Threat Intelligence, Red/Purple Teams, and SOC to improve defensive security posture.

• Challenges with IP spoofing in cloud environments - IP spoofing is a serious threat in cloud environments, where attackers can trick web services into believing requests came from a different IP, making it harder to detect malicious behavior. This is particularly challenging for systems relying on reverse proxies. Organizations can defend against IP spoofing by resetting the X-Forwarded-For header at the edge, using manual sanitization, trusting platform-specific headers, or trusting only the last value of the X-Forwarded-For header. It is important to implement proper defenses to protect against IP spoofing in cloud environments.

• Lynx Ransomware: A Rebranding of INC Ransomware - Researchers from Palo Alto Networks have discovered a new ransomware called Lynx, which is a rebranding of the previous INC ransomware. Lynx ransomware has been targeting organizations in various sectors in the US and UK since its emergence. The ransomware shares a significant portion of its source code with INC and operates using a ransomware-as-a-service model. The threat operators behind Lynx ransomware use phishing emails, malicious downloads, and hacking forums to disseminate the ransomware, and they also engage in double extortion by exfiltrating victim data before encrypting it.

• Earth Simnavaz (aka APT34) Levies Advanced Cyberattacks Against UAE and Gulf Regions - Earth Simnavaz, also known as APT34, has been launching advanced cyberattacks against governmental entities in the UAE and Gulf region. They use sophisticated tactics such as deploying backdoors through Microsoft Exchange servers for credential theft and leveraging vulnerabilities like CVE-2024-30088 for privilege escalation. These attacks aim to establish a persistent foothold in compromised entities to launch further attacks on additional targets. Trend Micro's research provides insights into the tactics and tools used by Earth Simnavaz, highlighting the need for intelligence-driven incident response and a Zero Trust architecture to mitigate these threats effectively.

• Microsoft’s guidance to help mitigate Kerberoasting - Microsoft has provided guidance to help mitigate the threat of Kerberoasting, a cyberattack that targets the Kerberos authentication protocol to steal Active Directory credentials. The attack is growing in effectiveness due to the use of GPUs for password cracking techniques. To prevent successful Kerberoasting cyberattacks, administrators are advised to use Group Managed Service Accounts or manually set long, randomly generated passwords for service accounts. It is also recommended to audit user accounts with Service Principal Names (SPNs) and configure encryption types for Kerberos service tickets. By following these recommendations, organizations can reduce their exposure to Kerberoasting.

• FASTCash for Linux - This post analyzes a newly identified variant of FASTCash malware specifically targeting Linux operating systems. The malware intercepts declined card transactions and authorizes them using a predefined list of account numbers with added funds in Turkish Lira. The Linux variant, compiled for Ubuntu Linux 20.04, has reduced functionality compared to the Windows version. The post delves into the terminology and technology of card transaction processing systems and provides technical analysis of the Linux variant's code and functionalities. Recommendations for detection and prevention of such malware are also provided.

• Mamba 2FA: A new contender in the AiTM phishing ecosystem - This blog post on Mamba 2FA discusses a new phishing toolkit in the adversary-in-the-middle (AiTM) phishing ecosystem. Mamba 2FA enables attackers to bypass two-factor authentication (2FA) mechanisms by intercepting session cookies during phishing attacks, allowing them to hijack user sessions. The toolkit leverages fake login pages and captures credentials in real-time.

• New PhantomLoader Malware Distributes SSLoad: Technical Analysis - This blog explains how attackers use Telegram to intercept and exploit stolen data through automated bots that send credentials to private channels. It covers how hackers integrate Telegram into malware and phishing attacks, making it easier to transfer sensitive data anonymously and quickly.

• Pronsis Loader: A JPHP-Driven Malware Diverging from D3F@ck Loader - This blog discusses "Pronsis Loader," a malware diverging from "D3fck Loader," and highlights its use of JPHP (Java PHP) to deliver malware to compromised systems. This loader is part of an evolving ecosystem of malicious tools that allows attackers to run PHP code on target systems, aiding in payload delivery. The post provides insights into its operation, analysis of its architecture, and the potential risks posed by its novel approach to spreading malicious code.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• Finding TeamViewer 0days - Part I - The author discovered a vulnerability in TeamViewer's IPC communication with its SYSTEM service, allowing for arbitrary driver installations and privilege escalation from a user to KERNEL. The communication with the service is done through sockets, and the author found that TeamViewer was not verifying the signature of the driver being installed. The author also details the structure of the IPC messages and discusses their authentication process. Lastly, the author experienced failures in attempting exploits due to authentication issues and notes the importance of understanding the authentication algorithm before attempting exploits.

• Hunting for M365 Password Spraying - Huntress offers a Managed Security Platform that provides full endpoint visibility, detection, and response, as well as security awareness training and MDR for Microsoft 365. They focus on hunting for M365 password spraying attacks, which target user credentials. The platform looks for unusual authentication patterns and behaviors to detect and respond to such attacks. By actively hunting for threats, Huntress aims to protect organizations from compromise and recommends implementing strong password protection and multi-factor authentication to enhance security.

• Tools and tips round up: Finding deleted tweets and new tools from Bellingcat - The article provides a roundup of tools and tips for digital investigations, including finding deleted tweets and new tools from Bellingcat. It mentions tools like Search Grid Generator, Shadow Finder Tool, and Online Investigations Toolkit. It also lists various other tools and resources for online investigations. Additionally, it mentions upcoming free and paid workshops and provides resources related to the US election.